MDaemon WorldClient < 12.5.7 Multiple XSS Vulnerabilities

medium Nessus Plugin ID 62125

Synopsis

The remote webmail client is affected by multiple cross-site scripting vulnerabilities.

Description

According to its banner, the version of MDaemon's WorldClient is earlier than 12.5.7 and is, therefore, affected by the following cross-site scripting vulnerabilities :

- Input supplied in body of an email is not properly sanitized before being presented to the user. Specially crafted email messages that can exploit this error contain CSS expression properties with comments inside 'STYLE' attributes inside either image or other elements. Another method is to use the 'innerHTML' attribute in XML documents. This is a persistent cross-site scripting issue. (CVE-2012-2584)

- Input supplied via unspecified vectors is not properly sanitized before being presented to the user.

Solution

Upgrade to MDaemon 12.5.7 or later.

See Also

http://files.altn.com/MDaemon/Release/relnotes_en.html

Plugin Details

Severity: Medium

ID: 62125

File Name: mdaemon_worldclient_12_5_7.nasl

Version: 1.11

Type: remote

Published: 9/17/2012

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:alt-n:mdaemon

Exploit Available: true

Exploit Ease: No exploit is required

Patch Publication Date: 8/16/2012

Vulnerability Publication Date: 8/8/2012

Reference Information

CVE: CVE-2012-2584

BID: 54885

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990